What is the difference between GDPR and Cyber Essentials?

The GDPR has been the hot topic for many businesses recently – it comes into force in May this year and brings with it a raft of changes that require better standards of data protection. However, it’s not the only set of standards that businesses need to bear in mind – the government’s Cyber Essentials initiative is also an essential for organisations looking to ensure (and demonstrate) that online security is a key consideration. So, what’s the difference between the two?


The key difference between the Cyber Essentials programme and the requirements of the GDPR is that the latter is a matter of law. The government has established Cyber Essentials to provide businesses with the right tools to enable better protection – and suppliers bidding for government contracts involving the handling of certain sensitive and personal information must be certified against the scheme. However, there is no legal requirement for businesses to be compliant with Cyber Essentials. The same is not true for the GDPR. The significant changes required by the GDPR (e.g. compliance with subject access requests, informed, positive consent) must be factored in to business infrastructure. A lack of compliance with the GDPR will result in penalties, not least fines of up to €20 million or 4% or annual global turnover, whichever is the higher.

Risk management

Both the GDPR and Cyber Essentials play a key role in the management of the risks that businesses face today. At the heart of both is a new attitude to data and its security, particularly given the very wide range of threats in the online world. So, for example, the GDPR requires companies to reassess how they process and handle data, to ensure that this is being done only when necessarily and with the best possible security in place. The heart of Cyber Essentials is all about preventing cyber attacks, identifying the risks that they present to data (and systems) and managing them effectively.

Cultural change

Positive change in attitudes is another general theme of both Cyber Essentials and the GDPR. The solutions presented in Cyber Essentials are designed to enable businesses to make phishing and hacking protection an ingrained part of company culture. The GDPR demands an attitude overhaul when it comes to data management on a much wider scale – broad transparency, access and data security are its foundations. Compliance with the GDPR should mean that the entire culture of an organisation, from the top down, is much more aware of the value of data, the potential threats to it and what the consequences of loss of breach might be.


The GDPR requires a much deeper level of organisational change to ensure compliance, from complying with the right of a data subject to be forgotten, to the new requirement to notify within 72 hours of a data breach. Cyber Essentials is simpler and easier to implement with provisions that are focused on one part of data protection: cyber security.

Do you need both?

There are some clear differences between Cyber Essentials and the GDPR in terms of legal status and the complexities involved. However, the two are also in many ways an extension of each other. While GDPR compliance might be the biggest challenge for many businesses right now it’s important that Cyber Essentials doesn’t get forgotten. The two together ensure that key data vulnerabilities for business are dealt with.

If you’d like support with your IT in the light of incoming regulatory change – and to ensure you have the best data security in place – we can help.

Share this post

About Us

Marathon Professional Services is your trusted IT solutions partner. We offer a range of services including Desktop Infrastructure Solutions and Virtualisation, and we act on a white-labelled basis as an extension of your business.